IDENTITY AND ACCESS MANAGEMENT ARCHITECT Flashcards
Universal Containers wants to secure its Salesforce APIs by using an existing Security Assertion Markup Language (SAML) configuration supports the company’s single sign-on process to Salesforce,
Which Salesforce OAuth authorization flow should be used?
A. OAuth 2.0 SAML Bearer Assertion Flow
B. A SAML Assertion Row
C. OAuth 2.0 User-Agent Flow
D. OAuth 2.0 JWT Bearer Flow
Answer: B
An identity architect’s client has a homegrown identity provider (IdP). Salesforce is used as the service provider (SP). The head of IT is worried that during a SP initiated single sign-on (SSO), the Security Assertion Markup Language (SAML) request content will be altered.
What should the identity architect recommend to make sure that there is additional trust between the SP and
the IdP?
A . Ensure that there is an HTTPS connection between IDP and SP.
B . Ensure that on the SSO settings page, the ‘Request Signing Certificate’ field has a self-signed certificate.
C . Ensure that the Issuer and Assertion Consumer service (ACS) URL is property configured between SP and IDP.
D . Encrypt the SAML Request using certification authority (CA) signed certificate and decrypt on IdP.
Answer: D
A public sector agency is setting up an identity solution for its citizens using a Community built on Experience Cloud and requires the new user registration functionality to capture first name, last name, and phone number. The phone number will be used for identity verification.
Which feature should an identity architect recommend to meet the requirements?
A . Integrate with social websites (Facebook, Linkedin. Twitter)
B . Use an external Identity Provider
C . Create a custom Lightning Web Component
D . Use Login Discovery
Answer: D
Northern Trail Outfitters would like to use a portal built on Salesforce Experience Cloud for customer selfservice. Guests of the portal be able to self-register, but be unable to automatically be assigned to a contact record until verified. External Identity licenses have bee purchased for the project. After registered guests complete an onboarding process, a flow will create the appropriate account and contact records for the user.
Which three steps should an identity architect follow to implement the outlined requirements?
Choose 3 answers
A . Enable ‘Allow customers and partners to self-register’.
B . Select the ‘Configurable Self-Reg Page’ option under Login & Registration.
C . Set jp an external login page and call Salesforce APIs for user creation.
D . Customize the self-registration Apex handler to temporarily associate the user to a shared single contact
record.
E . Customize me self-registration Apex handler to create only the user record.
Answer: A, B, E
Northern Trail Outfitters (NTO) believes a specific user account may have been compromised. NTO inactivated the user account and needs U perform a forensic analysis and identify signals that could Indicate a breach has occurred.
What should NTO’s first step be in gathering signals that could indicate account compromise?
A . Review the User record and evaluate the login and transaction history.
B . Download the Setup Audit Trail and review all recent activities performed by the user.
C . Download the Identity Provider Event Log and evaluate the details of activities performed by the user.
D . Download the Login History and evaluate the details of logins performed by the user.
Answer: D
When designing a multi-branded Customer Identity and Access Management solution on the Salesforce Platform, how should an identity architect ensure a specific brand experience in Salesforce is presented?
A . The Experience ID, which can be included in OAuth/Open ID flows and Security Assertion Markup Language
(SAML) flows as a URL parameter.
B . Provide a brand picker that the end user can use to select its sub-brand when they arrive on salesforce.
C . Add a custom parameter to the service provider’s OAuth/SAML call and implement logic on its login page
to apply branding based on the parameters value.
D . The Audience ID, which can be set in a shared cookie.
Answer: A
Northern Trail Outfitters (NTO) has an off-boarding process where a terminated employee is first disabled in the Lightweight Directory Act Protocol (LDAP) directory, then requests are sent to the various application support teams to finish user deactivations. A terminated employee recently was able to login to NTO’s Salesforce instance 24 hours after termination, even though the user was disabled in the corporate LDAP directory.
What should an identity architect recommend to prevent this from happening in the future?
A . Create a Just-in-Time provisioning registration handler to ensure users are deactivated in Salesforce as they
are disabled in LDAP.
B . Configure an authentication provider to delegate authentication to the LDAP directory.
C . use a login flow to make a callout to the LDAP directory before authenticating the user to Salesforce.
D . Setup an identity provider (IdP) to authenticate users using LDAP, set up single sign-on to Salesforce and disable Login Form authentication.
Answer: B
A university is planning to set up an identity solution for its alumni. A third-party identity provider will be used for single sign-on Salesforce will be the system of records. Users are getting error messages when logging in.
Which Salesforce feature should be used to debug the issue?
A . Apex Exception Email
B . View Setup Audit Trail
C . Debug Logs
D . Login History
Answer: D
An insurance company has a connected app in its Salesforce environment that is used to integrate with a Google Workspace (formerly knot as G Suite). An identity and access management (IAM) architect has been asked to implement automation to enable users,
freeze/suspend users, disable users, and reactivate existing users in Google Workspace upon similar actions in
Salesforce.
Which solution is recommended to meet this requirement?
A . Configure user Provisioning for Connected Apps.
B . Update the Security Assertion Markup Language Just-in-Time (SAML JIt; handler in Salesforce for user
provisioning and de-provisioning.
C . Build a custom REST endpoint in Salesforce that Google Workspace can poll against.
D . Build an Apex trigger on the useriogin object to make asynchronous callouts to Google APIs.
Answer: A
Universal Containers is creating a web application that will be secured by Salesforce Identity using the OAuth 2.0 Web Server Flow uses the OAuth 2.0 authorization code grant type).
Which three OAuth concepts apply to this flow?
Choose 3 answers
A . Verification URL
B . Client Secret
C . Access Token
D . Scopes
Answer: B, C, D
An administrator created a connected app for a custom wet) application in Salesforce which needs to be visible as a tile in App Launcher The tile for the custom web application is missing in the app launcher for all users in Salesforce. The administrator requested assistance from an identity architect to resolve the issue.
Which two reasons are the source of the issue?
Choose 2 answers
A . StartURL for the connected app is not set in Connected App settings.
B . OAuth scope does not include ‘openid*.
C . Session Policy is set as ‘High Assurance Session required’ for this connected app.
D . The connected app is not set in the App menu as ‘Visible in App Launcher’.
Answer: A, C
Northern Trail Outfitters (NTO) recently purchased Salesforce Identity Connect to streamline user provisioning across Microsoft Active Directory (AD) and Salesforce Sales Cloud. NTO has asked an identity architect to identify which salesforce security configurations can map to AD permissions.
Which three Salesforce permissions are available to map to AD permissions?
Choose 3 answers
A . Public Groups
B . Field-Level Security
C . Roles
D . Sharing Rules
E . Profiles and Permission Sets
Answer: A, C, E
An identity architect is setting up an integration between Salesforce and a third-party system. The third-party system needs to authenticate to Salesforce and then make API calls against the REST API.
One of the requirements is that the solution needs to ensure the third party service providers connected app
in Salesforce mini need for end user interaction and maximizes security.
Which OAuth flow should be used to fulfill the requirement?
A . JWT Bearer Flow
B . Web Server Flow
C . User Agent Flow
D . Username-Password Flow
Answer: A
Northern Trail Outfitters (NTO) uses Salesforce for Sales Opportunity Management. Okta was recently brought in to Just-in-Time (JIT) provision and authenticate NTO users to applications. Salesforce users also use Okta to authorize a Forecasting web application to access Salesforce records on their behalf.
Which two roles are being performed by Salesforce?
Choose 2 answers
A . SAML Identity Provider
B . OAuth Client
C . OAuth Resource Server
D . SAML Service Provider
Answer: B, D
A multinational industrial products manufacturer is planning to implement Salesforce CRM to manage their business. They have the following requirements:
- They plan to implement Partner communities to provide access to their partner network .
- They have operations in multiple countries and are planning to implement multiple Salesforce orgs.
- Some of their partners do business in multiple countries and will need information from multiple Salesforce
communities. - They would like to provide a single login for their partners.
How should an Identity Architect solution this requirement with limited custom development?
A . Create a partner login for the country of their operation and use SAML federation to provide access to
other orgs.
B . Consolidate Partner related information in a single org and provide access through Salesforce community.
C . Allow partners to choose the Salesforce org they need information from and use login flows to authenticate
access.
D . Register partners in one org and access information from other orgs using APIs.
Answer: A
Universal Containers want users to be able to log in to the Salesforce mobile app with their Active Directory password. Employees are unable to use mobile VPN.
Which two options should an identity architect recommend to meet the requirement?
Choose 2 answers
A . Active Directory Password Sync Plugin
B . Configure Cloud Provider Load Balancer
C . Salesforce Trigger & Field on Contact Object
D . Salesforce Identity Connect
Answer: A, D
Universal Containers (UC) has an Experience Cloud site (Customer Community) where customers can authenticate and place orders, view the status of orders, etc. UC allows guest checkout.
Mow can a guest register using data previously collected during order placement?
A . Enable Security Assertion Markup Language Sign-On and use a login flow to collect only order details to
retrieve customer data.
B . Enable Facebook as an authentication provider and use a registration handler to collect only order details
to retrieve customer data.
C . Use a Connected App Handler Apex Plugin class to collect only order details to retrieve customer data.
D . Enable self-registration and customize a self-registration page to collect only order details to retrieve
customer data.
Answer: D
Northern Trail Outfitters (NTO) employees use a custom on-premise helpdesk application to request, approve, notify, and track access granted to various on-premises and cloud applications, including Salesforce. Salesforce is currently used to authenticate users.
How should NTO provision Salesforce users as soon as they are approved in the helpdesk application with the
approved profiles and permission sets?
A . Build an integration that performs a remote call-in to the Salesforce SOAP or REST API.
B . Use a login flow to query the helpdesk to validate user status.
C . Have the helpdesk initiate an IdP-initiated Just-m-Time provisioning Security Assertion Markup Language
flow.
D . Use Salesforce Connect to integrate with the helpdesk application.
Answer: B
Universal Containers allows employees to use a mobile device to access Salesforce for daily operations using a hybrid mobile app. This app uses Mobile software development kits (SDK), leverages refresh token to regenerate access token when required and is distributed as a private app. The chief security officer is rolling out an org wide compliance policy to enforce re-venfication of devices if an
employee has not logged in from that device in the last week.
Which connected app setting should be leveraged to comply with this policy change?
A . Scope - Deny refresh_token scope for this connected app.
B . Refresh Token Policy - Expire the refresh token if it has not been used for 7 days.
C . Session Policy - Set timeout value of the connected app to 7 days.
D . Permitted User - Ask admins to maintain a list of users who are permitted based on last login date.
Answer: B
A company wants to provide its employees with a custom mobile app that accesses Salesforce. Users are required to download the internal native IOS mobile app from corporate intranet on their mobile device. The app allows flexibility to access other Non Salesforce internal applications once users authenticate with
Salesforce. The apps self-authorize, and users are permitted to use the apps once they have logged into
Salesforce.
How should an identity architect meet the above requirements with the privately distributed mobile app?
A . Use connected app with OAuth and Security Assertion Markup Language (SAML) to access other Non Salesforce internal apps.
B . Configure Mobile App settings in connected app and Salesforce as identity provider for non-Salesforce internal apps.
C . Use Salesforce as an identity provider (IdP) to access the mobile app and use the external IdP for other nonSalesforce internal apps.
D . Create a new hybrid mobile app and use the connected app with OAuth to authenticate users for Salesforce and non-Salesforce internal apps
Answer: B
A global company is using the Salesforce Platform as an Identity Provider and needs to integrate a third-party application with its Experience Cloud customer portal.
Which two features should be utilized to provide users with login and identity services for the third-party application?
Choose 2 answers
A . Use the App Launcher with single sign-on (SSO).
B . External a Data source with Named Principal identity type.
C . Use a connected app.
D . Use Delegated Authentication.
Answer: A, C
Northern Trail Outfitters manages application functional permissions centrally as Active Directory groups. The CRM_Superllser and CRM_Reportmg_SuperUser groups should respectively give the user the SuperUser and Reportmg_SuperUser permission set in Salesforce. Salesforce is the service provider to a Security Assertion
Markup Language (SAML) identity provider.
Mow should an identity architect ensure the Active Directory groups are reflected correctly when a user accesses Salesforce?
A . Use the Apex Just-in-Time handler to query standard SAML attributes and set permission sets.
B . Use the Apex Just-in-Time handler to query custom SAML attributes and set permission sets.
C . Use a login flow to query custom SAML attributes and set permission sets.
D . Use a login flow to query standard SAML attributes and set permission sets.
Answer: B
A financial enterprise is planning to set up a user authentication mechanism to login to the Salesforce system. Due to regulatory requirements, the CIO of the company wants user administration, including passwords and authentication requests, to be managed by an external system that is only accessible via a SOAP webservice.
Which authentication mechanism should an identity architect recommend to meet the requirements?
A . OAuth Web-Server Flow
B . Identity Connect
C . Delegated Authentication
D . Just-in-Time Provisioning
Answer: C
A real estate company wants to provide its customers a digital space to design their interior decoration options. To simplify the registration to gain access to the community site (built in Experience Cloud), the CTO has requested that the IT/Development team provide the option for customers to use their existing socialmedia credentials to register and access.
The IT lead has approached the Salesforce Identity and Access Management (IAM) architect for technical direction on implementing the social sign-on (for Facebook, Twitter, and a new provider that supports standard OpenID Connect (OIDC)).
Which two recommendations should the Salesforce IAM architect make to the IT Lead?
Choose 2 answers
A . Use declarative registration handler process builder/flow to create, update users and contacts.
B . Authentication provider configuration is required each social sign-on providers; and enable Authentication
providers in
community.
C . For supporting OIDC it is necessary to enable Security Assertion Markup Language (SAML) with Just-in-Time
provisioning (JIT) and OAuth 2.0.
D . Apex coding skills are needed for registration handler to create and update users.
Answer: B, D
Universal Containers (UC) is using its production org as the identity provider for a new Experience Cloud site and the identity architect is deciding which login experience to use for the site.
Which two-page types are valid login page types for the site?
Choose 2 answers
A . Experience Builder Page
B . lightning Experience Page
C . Login Discovery Page
D . Embedded Login Page
Answer: C, D
Northern Trail Outfitters (NTO) utilizes a third-party cloud solution for an employee portal. NTO also owns Salesforce Service Cloud and would like employees to be able to login to Salesforce with their third-party portal credentials for a seamless expenence. The third-party employee portal only supports OAuth.
What should an identity architect recommend to enable single sign-on (SSO) between the portal and
Salesforce?
A . Configure SSO to use the third-party portal as an identity provider.
B . Create a custom external authentication provider.
C . Add the third-party portal as a connected app.
D . Configure Salesforce for Delegated Authentication.
Answer: A
Northern Trail Outfitters (NTO) is planning to implement a community for its customers using Salesforce Experience Cloud . Customers are not able to self-register. NTO would like to have customers set their own passwords when provided access to the community.
Which two recommendations should an identity architect make to fulfill this requirement?
Choose 2 answers
A . Add customers as contacts and add them to Experience Cloud site.
B . Enable Welcome emails while configuring the Experience Cloud site.
C . Allow Password reset using the API to update Experience Cloud site membership.
D . Use Login Flows to allow users to reset password in Experience Cloud site.
Answer: C, D
An Enterprise is using a Lightweight Directory Access Protocol (LDAP) server as the only point for user authentication with a username/password. Salesforce delegated authentication is configured to integrate Salesforce under single sign-on (SSO).
Mow can end users change their password?
A . Users once logged In, can go to the Change Password screen in Salesforce.
B . Users can click on the ‘Forgot your Password’ link on the Salesforce.com login page.
C . Users can request the Salesforce Admin to reset their password.
D . Users can change it on the enterprise LDAP authentication portal.
Answer: C
Universal Containers (UC) is planning to add Wi-Fi-enabled GPS tracking devices to its shipping containers so that the GPS coordinates data can be sent from the tracking device to its Salesforce production org via a custom API. The GPS devices have no direct user input or output capabilities.
Which OAuth flow should the identity architect recommend to meet the requirement?
A . OAuth 2.0 Asset Token Flow for Securing Connected Devices
B . OAuth 2.0 Username-Password Flow for Special Scenarios
C . OAuth 2.0 Web Server Flow for Web App Integration
D . OAuth 2.0 JWT Bearer Flow for Server-to-Server Integration
Answer: A
Northern Trail Outfitters (NTO) has a requirement to ensure all user logins include a single multi-factor authentication (MFA) prompt. Currently, users are allowed the choice to login with a username and password or via single sign-on against NTO’s corporate Identity Provider, which includes built-in MFA.
Which configuration will meet this requirement?.
A . Create and assign a permission set to all employees that includes ‘MFA for User Interface Logins.’
B . Create a custom login flow that enforces MFA and assign it to a permission set. Then assign the permission set to all employees.
C . Enable ‘MFA for User Interface Logins’ for your organization from Setup -> Identity Verification.
D . For all employee profiles, set the Session Level Required at Login to High Assurance and add the corporate identity provider to the High Assurance list for the org’s Session Security Levels.
Answer: C
An identity architect has built a native mobile application and plans to integrate it with a Salesforce Identity solution. The following are the requirements for the solution:
- Users should not have to login every time they use the app.
- The app should be able to make calls to the Salesforce REST API.
- End users should NOT see the OAuth approval page.
How should the identity architect configure the Salesforce connected app to meet the requirements?
A . Enable the API Scope and Offline Access Scope, upload a certificate so JWT Bearer Flow can be used and
then set the connected app access settings to ‘Admin Pre-Approved’.
B . Enable the API Scope and Offline Access Scope on the connected app, and then set the connected app to
access settings to ‘Admin Pre-Approved’.
C . Enable the Full Access Scope and then set the connected app access settings to ‘Admin Pre-Approved’.
D . Enable the API Scope and Offline Access Scope on the connected app, and then set the Connected App
access settings to ‘User may self authorize’.
Answer: A
Northern Trail Outfitters (NTO) wants to improve its engagement with existing customers to boost customer loyalty. To get a better understanding of its customers, NTO establishes a single customer view including their buying behaviors, channel preferences and purchasing history. All of this information exists but is spread
across different systems and formats.
NTO has decided to use Salesforce as the platform to build a 360 degree view. The company already uses Microsoft Active Directory (AD) to manage its users and company assets.
What should an Identity Architect do to provision, deprovision and authenticate users?
A . Salesforce Identity is not needed since NTO uses Microsoft AD.
B . Salesforce Identity can be included but NTO will be required to build a custom integration with Microsoft AD.
C . Salesforce Identity is included in the Salesforce licenses so it does not need to be considered separately.
D . A Salesforce Identity can be included but NTO will require Identity Connect
Answer: D
Universal Container’s (UC) identity architect needs to recommend a license type for their new Experience Cloud site that will be used by external partners (delivery providers) for reviewing and updating their accounts, downloading files provided by UC and obtaining scheduled pickup dates from their calendar.
UC is using their Salesforce production org as the identity provider for these users and the expected number of individual users is 2.5 million with 13.5 million unique logins per month.
Which of the following license types should be used to meet the requirement?
A . External Apps License
B . Partner Community License
C . Partner Community Login License
D . Customer Community plus Login License
Answer: D
A technology enterprise is setting up an identity solution with an external vendors wellness application for its employees. The user attributes need to be returned to the wellness application in an ID token.
Which authentication mechanism should an identity architect recommend to meet the requirements?
A . OpenID Connect
B . User Agent Flow
C . JWT Bearer Token Flow
D . Web Server Flow
Answer: D
A security architect is rolling out a new multi-factor authentication (MFA) mandate, where all employees must go through a secure authentication process before accessing Salesforce. There are multiple Identity Providers (IdP) in place and the architect is considering how the ‘Authentication Method Reference’ field (AMR) in the Login History can help.
Which two considerations should the architect keep in mind?
Choose 2
A . AMR field shows the authentication methods used at IdP.
B . Both OIDC and Security Assertion Markup Language (SAML) are supported but AMR must be implemented at IdP.
C . High-assurance sessions must be configured under Session Security Level Policies.
D . Dependency on what is supported by OpenID Connect (OIDC) implementation at IdP.
Answer: A, B
A global fitness equipment manufacturer is planning to sell fitness tracking devices and has the following requirements:
1) Customer purchases the device.
2) Customer registers the device using their mobile app.
3) A case should automatically be created in Salesforce and associated with the customers account in cases where the device registers issues with tracking.
Which OAuth flow should be used to meet these requirements?.
A . OAuth 2.0 Asset Token Flow
B . OAuth 2.0 Username-Password Flow
C . OAuth 2.0 User-Agent Flow
D . OAuth 2.0 SAML Bearer Assertion Flow
Answer: A
The CMO of an advertising company has invited an Identity and Access Management (IAM) specialist to discuss Salesforce out-of-box capabilities for configuring the company*s login and registration experience on Salesforce Experience Cloud.
The CMO is looking to brand the login page with the company’s logo, background color, login button color, and dynamic right-frame from an external URL.
Which two solutions should the IAM specialist recommend?
Choose 2 answers
A . Use Experience Builder to build branded Reset and Forgot Password pages.
B . Build custom pages for branding requirements in Experience Cloud.
C . Build custom site pages for reset and forgot password features.
D . Login & Registration pages can be branded in the Community Administration settings.
Answer: A, D
Universal Containers (UC) wants to provide single sign-on (SSO) for a business-to-consumer (B2C) application using Salesforce Identity.
Which Salesforce license should UC utilize to implement this use case?
A . Identity Only
B . Salesforce Platform
C . External Identity
D . Partner Community
Answer: C
Universal Containers is creating a mobile application that will be secured by Salesforce Identity using the OAuth 2.0 user-agent flow. Application users will authenticate using username and password. They should not be forced to approve API access in the mobile app or reauthenticate for 3 months.
Which two connected app options need to be configured to fulfill this use case?
Choose 2 answers
A . Set Permitted Users to ‘Admin approved users are pre-authorized’.
B . Set Permitted Users to ‘All users may self-authorize’.
C . Set the Session Timeout value to 3 months.
D . Set the Refresh Token Policy to expire refresh token after 3 months.
Answer: B, D
Universal Containers (UC) has built a custom time-tracking app for its employee. UC wants to leverage Salesforce Identity to control access to the custom app. At a minimum, which Salesforce license is required to support this requirement?
A . Identity Verification
B . Identity Connect
C . Identity Only
D . External Identity
Answer: C
Northern Trail Outfitters wants to implement a partner community. Active community users will need to review and accept the community rules and update key contact information for each community member before their annual partner event.
Which approach will meet this requirement?
A . Create tasks for users who need to update their data or accept the new community rules.
B . Create a custom landing page and email campaign asking all community members to login and verify their data.
C . Create a login flow that conditionally prompts users who have not accepted the new community rules and who have missing or outdated information.
D . Add a banner to the community Home page asking users to update their profile and accept the new community rules.
Answer: C
Universal Containers (UC) is using Active Directory as its corporate identity provider and Salesforce as its CRM for customer care agents, who use SAML based sign sign-on to login to Salesforce. The default agent profile does not include the Manage User permission. UC wants to dynamically update the agent role and permission
sets.
Which two mechanisms are used to provision agents with the appropriate permissions?
Choose 2 answers
A . Use Login Flow in User Context to update role and permission sets.
B . Use Login Flow in System Context to update role and permission sets.
C . Use SAML Just-m-Time (JIT) Handler class run as current user to update role and permission sets.
D . Use SAML Just-in-Time (JIT) handler class run as an admin user to update role and permission sets.
Answer: B, D
Northern Trail Outfitters want to allow its consumer to self-register on it business-to-consumer (B2C) portal that is built on Experience Cloud. The identity architect has recommended to use Person Accounts.
Which three steps need to be configured to enable self-registration using person accounts?
Choose 3 answers
A . Enable access to person and business account record types under Public Access Settings.
B . Contact Salesforce Support to enable business accounts.
C . Under Login and Registration settings, ensure that the default account field is empty.
D . Contact Salesforce Support to enable person accounts.
E . Set organization-wide default sharing for Contact to Public Read Only.
Answer: A, C, D
Which tool should be used to track login data, such as the average number of logins, who logged in more than
the average number of times and who logged in during non-business hours?
A . Login Inspector
B . Login History
C . Login Report
D . Login Forensics
Answer: D
An organization has a central cloud-based Identity and Access Management (IAM) Service for authentication
and user management, which must be utilized by all applications as follows:
1 - Change of a user status in the central IAM Service triggers provisioning or deprovisioining in the integrated
cloud applications.
2 - Security Assertion Markup Language single sign-on (SSO) is used to facilitate access for users authenticated
at identity provider (Central IAM Service).
Which approach should an IAM architect implement on Salesforce Sales Cloud to meet the requirements?
A . A Configure Salesforce as a SAML Service Provider, and enable SCIM (System for Cross-Domain Identity Management) for provisioning and deprovisioning of users.
B . Configure Salesforce as a SAML service provider, and enable Just-in Time (JIT) provisioning and deprovisioning of users.
C . Configure central IAM Service as an authentication provider and extend registration handler to manage provisioning and deprovisioning of users.
D . Deploy Identity Connect component and set up automated provisioning and deprovisioning of users, as well as SAML-based SSO.
Answer: A
Northern Trail Outfitters (NTO) is launching a new sportswear brand on its existing consumer portal built on Salesforce Experience Cloud. As part of the launch, emails with promotional links will be sent to existing customers to log in and claim a discount. The marketing manager would like the portal dynamically branded so that users will be directed to the brand link they clicked on; otherwise, users will view a recognizable NTObranded page.
The campaign is launching quickly, so there is no time to procure any additional licenses. However, the
development team is available to apply any required changes to the portal.
Which approach should the identity architect recommend?
A . Create a full sandbox to replicate the portal site and update the branding accordingly.
B . Implement Experience ID in the code and extend the URLs and endpomts, as required.
C . Use Heroku to build the new brand site and embedded login to reuse identities.
D . Configure an additional community site on the same org that is dedicated for the new brand.
Answer: B
A service provider (SP) supports both Security Assertion Markup Language (SAML) and OpenID Connect
(OIDC).
When integrating this SP with Salesforce, which use case is the determining factor when choosing OIDC or SAML?
A . OIDC is more secure than SAML and therefore is the obvious choice.
B . The SP needs to perform API calls back to Salesforce on behalf of the user after the user logs in to the
service provider.
C . If the user has a session on Salesforce, you do not want them to be prompted for a username and password
when they login to the SP.
D . They are equivalent protocols and there is no real reason to choose one over the other.
Answer: B
A consumer products company uses Salesforce to maintain consumer information, including orders. The company implemented a portal solution using Salesforce Experience Cloud for its consumers where the consumers can log in using their credentials. The company is considering allowing users to login with their
Facebook or Linkedln credentials.
Once enabled, what role will Salesforce play?
A . Facebook and Linkedln will be the SPs.
B . Salesforce will be the service provider (SP).
C . Salesforce will be the identity provider (IdP).
D . Facebook and Linkedln will act as the IdPs and SPs.
Answer: B
Northern Trail Outfitters recently acquired a company. Each company will retain its Identity Provider (IdP). Both companies rely extensively on Salesforce processes that send emails to users to take specific actions in Salesforce.
How should the combined companys’ employees collaborate in a single Salesforce org, yet authenticate to the
appropriate IdP?
A . Configure unique MyDomains for each company and have generated links use the appropriate MyDomam
in the URL.
B . Have generated links append a querystnng parameter indicating the IdP. The login service will redirect to
the appropriate IdP.
C . Have generated links be prefixed with the appropriate IdP URL to invoke an IdP-initiated Security Assertion
Markup Language flow when clicked.
D . Enable each IdP as a login option in the MyDomain Authentication Service settings. Users will then click on
the appropriate IdP button.
Answer: D
Universal Containers (UC) operates in Asia, Europe and North America regions. There is one Salesforce org for each region. UC is implementing Customer 360 in Salesforce and has procured External Identity and Customer Community licenses in all orgs.
Customers of UC use Community to track orders and create inquiries. Customers also tend to move across regions frequently.
What should an identity architect recommend to optimize license usage and reduce maintenance overhead?
A . Merge three orgs into one instance of Salesforce. This will no longer require maintaining three separate
copies of the same customer.
B . Delete contact/ account records and deactivate user if user moves from a specific region; Sync will no
longer be required.
C . Contacts are required since Community access needs to be enabled. Maintenance is a necessary overhead
that must be handled via data integration.
D . Enable Contactless User in all orgs and downgrade users from Experience Cloud license to External Identity
license once users have moved out of that region.
Answer: C
Universal Containers would like its customers to register and log in to a portal built on Salesforce Experience Cloud. Customers should be able to use their Facebook or Linkedln credentials for ease of use.
Which three steps should an identity architect take to implement social sign-on?
Choose 3 answers
A . Register both Facebook and Linkedln as connected apps.
B . Create authentication providers for both Facebook and Linkedln.
C . Check ‘Facebook’ and ‘Linkedln’ under Login Page Setup.
D . Enable ‘Federated Single Sign-On Using SAML’.
E . Update the default registration handlers to create and update users.
Answer: B, C, E
Northern Trail Outfitters (NTO) uses Salesforce Experience Cloud sites (previously known as Customer Community) to provide a digital portal where customers can login using their Google account.
NTO would like to automatically create a case record for first time users logging into Salesforce Experience Cloud.
What should an Identity architect do to fulfill the requirement?
A . Configure an authentication provider for Social Login using Google and a custom registration handler.
B . Implement a Just-in-Time handler class that has logic to create cases upon first login.
C . Create an authentication provider for Social Login using Google and leverage standard registration handler.
D . Implement a login flow with a record create component for Case.
Answer: D
A Salesforce customer is implementing Sales Cloud and a custom pricing application for its call center agents. An Enterprise single sign-on solution is used to authenticate and sign-in users to all applications. The customer has the following requirements:
- The development team has decided to use a Canvas app to expose the pricing application to agents.
- Agents should be able to access the Canvas app without needing to log in to the pricing application.
Which two options should the identity architect consider to provide support for the Canvas app to initiate login for users?
Choose 2 answers
A . Select ‘Enable as a Canvas Personal App’ in the connected app settings.
B . Enable OAuth settings in the connected app with required OAuth scopes for the pricing application.
C . Configure the Canvas app as a connected app and set Admin-approved users as pre-authorized.
D . Enable SAML in the connected app and Security Assertion Markup Language (SAML) Initiation Method as Service Provider Initiated.
Answer: C, D
A pharmaceutical company has an on-premise application (see illustration) that it wants to integrate with
Salesforce. The IT director wants to ensure that requests must include a certificate with a trusted certificate chain to
access the company’s on-premise application endpoint.
What should an Identity architect do to meet this requirement?
A . Use open SSL to generate a Self-signed Certificate and upload it to the on-premise app.
B . Configure the company firewall to allow traffic from Salesforce IP ranges.
C . Generate a certificate authority-signed certificate in Salesforce and uploading it to the on-premise
application Truststore.
D . Upload a third-party certificate from Salesforce into the on-premise server.
Answer: B
Universal Containers (UC) is rolling out its new Customer Identity and Access Management Solution built on top of its existing Salesforce instance. UC wants to allow customers to login using Facebook, Google, and other social sign-on providers.
How should this functionality be enabled for UC, assuming ail social sign-on providers support OpenID
Connect?
A . Configure an authentication provider and a registration handler for each social sign-on provider.
B . Configure a single sign-on setting and a registration handler for each social sign-on provider.
C . Configure an authentication provider and a Just-In-Time (JIT) handler for each social sign-on provider.
D . Configure a single sign-on setting and a JIT handler for each social sign-on provider.
Answer: A
Universal Containers (UC) uses Salesforce as a CRM and identity provider (IdP) for their Sales Team to seamlessly login to intemaJ portals. The IT team at UC is now evaluating Salesforce to act as an IdP for its remaining employees.
Which Salesforce license is required to fulfill this requirement?
A . External Identity
B . Identity Verification
C . Identity Connect
D . Identity Only
Answer: D
How should an identity architect automate provisioning and deprovisioning of users into Salesforce from an external system?
A . Call SOAP API upsertQ on user object.
B . Use Security Assertion Markup Language Just-in-Time (SAML JIT) on incoming SAML assertions.
C . Run registration handler on incoming OAuth responses.
D . Call OpenID Connect (OIDC)-userinfo endpoint with a valid access token.
Answer: C
Northern Trail Outfitters (NTO) wants to give customers the ability to submit and manage issues with their purchases. It is important for to give its customers the ability to login with their Facebook and Twitter
credentials.
Which two actions should an identity architect recommend to meet these requirements?
Choose 2 answers
A . Create a custom external authentication provider for Facebook.
B . Configure a predefined authentication provider for Facebook.
C . Create a custom external authentication provider for Twitter.
D . Configure a predefined authentication provider for Twitter.
Answer: B, D
A third-party app provider would like to have users provisioned via a service endpoint before users access
their app from Salesforce.
What should an identity architect recommend to configure the requirement with limited changes to the thirdparty app?
A . Use a connected app with user provisioning flow.
B . Create Canvas app in Salesforce for third-party app to provision users.
C . Redirect users to the third-party app for registration.
D . Use Salesforce identity with Security Assertion Markup Language (SAML) for provisioning users.
Answer: A
Northern Trail Outfitters (NTO) is planning to roll out a partner portal for its distributors using Experience Cloud. NTO would like to use an external identity provider (idP) and for partners to register for access to the portal. Each partner should be allowed to register only once to avoid duplicate accounts with Salesforce.
What should a identity architect recommend to create partners?
A . On successful creation of Partners using Self Registration page in Experience Cloud, create identity in Ping.
B . Create a custom page Experience Cloud to self register partner with Experience Cloud and Ping identity
store.
C . Create a custom web page in the Portal and create users in the IdP and Experience Cloud using published
APIs.
D . Allow partners to register through the IdP and create partner users in Salesforce through an API.
Answer: B
An Identity and Access Management (IAM) Architect is recommending Identity Connect to integrate Microsoft
Active Directory (AD) with Salesforce for user provisioning, deprovisioning and single sign-on (SSO).
Which feature of Identity Connect is applicable for this scenano?
A . When Identity Connect is in place, if a user is deprovisioned in an on-premise AD, the user’s Salesforce
session Is revoked Immediately.
B . If the number of provisioned users exceeds Salesforce licence allowances, identity Connect will start
disabling the existing
Salesforce users in First-in, First-out (FIFO) fashion.
C . Identity Connect can be deployed as a managed package on salesforce org, leveraging High Availability of
Salesforce Platform out-of-the-box.
D . When configured, Identity Connect acts as an identity provider to both Active Directory and Salesforce,
thus providing SSO as a default feature.
Answer: A
Users logging into Salesforce are frequently prompted to verify their identity.
The identity architect is required to provide recommendations so that frequency of prompt verification can be
reduced.
What should the identity architect recommend to meet the requirement?
A . Implement 2FA authentication for the Salesforce org.
B . Set trusted IP ranges for the organization.
C . Implement an single sign-on for Salesforce using an external identity provider.
D . Implement multi-factor authentication for the Salesforce org.
Answer: B
A financial services company uses Salesforce and has a compliance requirement to track information about devices from which users log in. Also, a Salesforce Security Administrator needs to have the ability to revoke the device from which users log in.
What should be used to fulfill this requirement?
A . Use multi-factor authentication (MFA) to meet the compliance requirement to track device information.
B . Use the Activations feature to meet the compliance requirement to track device information.
C . Use the Login History object to track information about devices from which users log in.
D . Use Login Flows to capture device from which users log in and store device and user information in a
custom object.
Answer: B
Northern Trail Outfitters (NTO) wants its customers to use phone numbers to log in to their new digital portal, which was designed and built using Salesforce Experience Cloud. In order to access the portal, the user will need to do the following:
- Enter a phone number and/or email address
- Enter a verification code that is to be sent via email or text.
What is the recommended approach to fulfill this requirement?
A . Create a Login Discovery page and provide a Login Discovery Handler Apex class.
B . Create a custom login page with an Apex controller. The controller has logic to send and verify the identity.
C . Create an Authentication provider and implement a self-registration handler class.
D . Create a custom login flow that uses an Apex controller to verify the phone numbers with the company’s
verification service.
Answer: A
A multinational company is looking to rollout Salesforce globally. The company has a Microsoft Active
Directory Federation Services (ADFS) implementation for the Americas, Europe and APAC. The company plans
to have a single org and they would like to have all of its users access Salesforce using the ADFS . The company
would like to limit its investments and prefer not to procure additional applications to satisfy the
requirements.
What is recommended to ensure these requirements are met ?
A . Use connected apps for each ADFS implementation and implement Salesforce site to authenticate users
across the ADFS system applicable to their geo.
B . Implement Identity Connect to provide single sign-on to Salesforce and federated across multiple ADFS
systems.
C . Add a central identity system that federates between the ADFS systems and integrate with Salesforce for
single sign-on.
D . Configure Each ADFS system under single sign-on settings and allow users to choose the system to
authenticate during sign on to Salesforce
B
Universal Containers is implementing Salesforce Identity to broker authentication from its enterprise single
sign-on (SSO) solution through Salesforce to third party applications using SAML.
What rote does Salesforce Identity play in its relationship with the enterprise SSO system?
A . Identity Provider (IdP)
B . Resource Server
C . Service Provider (SP)
D . Client Application
C
Uwversal Containers (UC) is building a custom employee hut) application on Amazon Web Services (AWS) and would like to store their users’ credentials there. Users will also need access to Salesforce for internal operations. UC has tasked an identity architect with evaluating Afferent solutions for authentication and
authorization between AWS and Salesforce.
How should an identity architect configure AWS to authenticate and authorize Salesforce users?
A . Configure the custom employee app as a connected app.
B . Configure AWS as an OpenID Connect Provider.
C . Create a custom external authentication provider.
D . Develop a custom Auth server in AWS.
B
An Identity architect works for a multinational, multi-brand organization. As they work with the organization to understand their Customer Identity and Access Management requirements, the identity architect learns that the brand experience is different for each of the customer’s sub-brands and each of these branded
experiences must be carried through the login experience depending on which sub-brand the user is logging
into.
Which solution should the architect recommend to support scalability and reduce maintenance costs, if the
organization has more than 150 sub-brands?
A . Assign each sub-brand a unique Experience ID and use the Experience ID to dynamically brand the login
experience.
B . Use Audiences to customize the login experience for each sub-brand and pass an audience ID to the
community during the OAuth and Security Assertion Markup Language (SAML) flows.
C . Create a community subdomain for each sub-brand and customize the look and feel of the Login page for
each community subdomain to match the brand.
D . Create a separate Salesforce org for each sub-brand so that each sub-brand has complete control over the
user experience.
A
A farming enterprise offers smart farming technology to its farmer customers, which includes a variety of sensors for livestock tracking, pest monitoring, climate monitoring etc. They plan to store all the data in Salesforce. They would also like to ensure timely maintenance of the Installed sensors. They have engaged a
salesforce Architect to propose an appropriate way to generate sensor Information In Salesforce.
Which OAuth flow should the architect recommend?
A . OAuth 2.0 Asset Token Flow
B . OAuth 2.0 Device Authentication Row
C . OAuth 2.0 JWT Bearer Token Flow
D . OAuth 2.0 SAML Bearer Assertion Flow
Answer: A
A technology enterprise is planning to implement single sign-on login for users. When users log in to the Salesforce User object custom field, data should be populated for new and existing users.
Which two steps should an identity architect recommend?
Choose 2 answers
A . Implement Auth.SamlJitHandler Interface.
B . Create and update methods.
C . Implement RegistrationHandler Interface.
D . Implement SesslonManagement Class.
Answer: A, B
A company with 15,000 employees is using Salesforce and would like to take the necessary steps to highlight or curb fraudulent activity. Which tool should be used to track login data, such as the average number of logins, who logged in more than the average number of times and who logged in during non-business hours?
A . Login Forensics
B . Login Report
C . Login Inspector
D . Login History
Answer: A
Northern Trail Outfitters would like to automatically create new employee users in Salesforce with an appropriate profile that maps to its Active Directory Department.
How should an identity architect implement this requirement?
A . Use the createUser method in the Just-in-Time (JIT) provisioning registration handler to assign the
appropriate profile.
B . Use the updateUser method in the Just-in-Time (JIT) provisioning registration handler to assign the
appropriate profile.
C . Use a login flow to collect Security Assertion Markup Language attributes and assign the appropriate profile
during Just-In-Time
(JIT) provisioning.
D . Make a callout during the login flow to query department from Active Directory to assign the appropriate
profile.
Answer: B
Northern Trail Outfitters is implementing a busmess-to-business (B2B) collaboration site using Salesforce Experience Cloud. The partners will authenticate with an existing identity provider and the solution will utilize Security Assertion Markup Language (SAML) to provide single sign-on to Salesforce. Delegated administration
will be used in the Expenence Cloud site to allow the partners to administer their users’ access.
How should a partner identity be provisioned in Salesforce for this solution?
A . Create only a contact.
B . Create a contactless user.
C . Create a user and a related contact.
D . Create a person account.
Answer: C
Northern Trail Outfitters (NTO) has a number of employees who do NOT need access Salesforce objects. Trie employees should sign in to a custom Benefits web app using their Salesforce credentials.
Which license should the identity architect recommend to fulfill this requirement?
A . Identity Only License
B . External Identity License
C . Identity Verification Credits Add-on License
D . Identity Connect License
Answer: A
Northern Trail Outfitters (NTO) is planning to build a new customer service portal and wants to use passwordless login, allowing customers to login with a one-time passcode sent to them via email or SMS.
How should the quantity of required Identity Verification Credits be estimated?
A . Each community comes with 10,000 Identity Verification Credits per month and only customers with more
than 10,000 logins a month should estimate additional SMS verifications needed.
B . Identity Verification Credits are consumed with each SMS (text message) sent and should be estimated
based on the number of login verification challenges for SMS verification users.
C . Identity Verification Credits are consumed with each verification sent and should be estimated based on
the number of logins
that will incur a verification challenge.
D . Identity Verification Credits are a direct add-on license based on the number of existing member-based or
login-based Community licenses.
Answer: B
A global fitness equipment manufacturer uses Salesforce to manage its sales cycle. The manufacturer has a custom order fulfillment app that needs to request order data from Salesforce. The order fulfillment app needs to integrate with the Salesforce API using OAuth 2.0 protocol.
What should an identity architect use to fulfill this requirement?
A . Canvas App Integration
B . OAuth Tokens
C . Authentication Providers
D . Connected App and OAuth scopes
Answer: D
Which two things should be done to ensure end users can only use single sign-on (SSO) to login in to Salesforce?
Choose 2 answers
A . Enable My Domain and select ‘Prevent login from https://login.salesforce.com’.
B . Request Salesforce Support to enable delegated authentication.
C . Once SSO is enabled, users are only able to login using Salesforce credentials.
D . Assign user ‘is Single Sign-on Enabled’ permission via profile or permission set.
Answer: A, D
An identity architect has been asked to recommend a solution that allows administrators to configure personalized alert messages to users before they land on the Experience Cloud site (formerly known as Community) homepage.
What is recommended to fulfill this requirement with the least amount of customization?
A . Customize the registration handler Apex class to create a routing logic navigating to different home pages
based on the user profile.
B . Use Login Flows to add a screen that shows personalized alerts.
C . Build a Lightning web Component (LWC) for a homepage that shows custom alerts.
D . Create custom metadata that stores user alerts and use a LWC to display alerts
Answer: B
Northern Trail Outfitters (NTO) uses a Security Assertion Markup Language (SAML)-based Identity Provider (idP) to authenticate employees to all systems. The IdP authenticates users against a Lightweight Directory.
Access Protocol (LDAP) directory and has access to user information. NTO wants to minimize Salesforce license usage since only a small percentage of users need Salesforce.
What is recommended to ensure new employees have immediate access to Salesforce using their current IdP?
A . Install Salesforce Identity Connect to automatically provision new users in Salesforce the first time they
attempt to login.
B . Build an integration that queries LDAP periodically and creates new active users in Salesforce.
C . Configure Just-in-Time provisioning using SAML attributes to create new Salesforce users as necessary
when a new user attempts to login to Salesforce.
D . Build an integration that queries LDAP and creates new inactive users in Salesforce and use a login flow to
activate the user at
first login.
Answer: C
Northern Trail Outfitters (NTO) has an existing custom business-to-consumer (B2C) website that does NOT support single sign-on standards, such as Security Assertion Markup Language (SAMi) or OAuth. NTO wants to use Salesforce Identity to register and authenticate new customers on the website.
Which two Salesforce features should an identity architect use in order to provide username/password authentication for the website?
Choose 2 answers
A . Identity Connect
B . Delegated Authentication
C . Connected Apps
D . Embedded Login
Answer: B, D
Universal Containers (UC) rolling out a new Customer Identity and Access Management Solution will be built on top of their existing Salesforce instance.
Several service providers have been setup and integrated with Salesforce using OpenlD Connect to allow for a
seamless single sign-on experience. UC has a requirement to limit user access to only a subset of service providers per customer type.
Which two steps should be done on the platform to satisfy the requirement?
Choose 2 answers
A . Manage which connected apps a user has access to by assigning authentication providers to the users
profile.
B . Assign the connected app to the customer community, and enable the users profile in the Community
settings.
C . Use Profiles and Permission Sets to assign user access to Admin Pre-Approved Connected Apps.
D . Set each of the Connected App access settings to Admin Pre-Approved.
Answer: C, D
An identity architect wants to secure Salesforce APIs using Security Assertion Markup Language (SAML). For security purposes, administrators will need to authorize the applications that will be consuming the APIs.
Which Salesforce OAuth authorization flow should be used?
A . OAuth 2-0 SAML Bearer Assertion Flow
B . OAuth 2.0 JWT Bearer Flow
C . SAML Assertion Flow
D . OAuth 2.0 User-Agent Flow
C
A company’s external application is protected by Salesforce through OAuth. The identity architect for the project needs to limit the level of access to the data of the protected resource in a flexible way.
What should be done to improve security?
A . Select ‘Admin approved users are pre-authonzed’ and assign specific profiles.
B . Create custom scopes and assign to the connected app.
C . Define a permission set that grants access to the app and assign to authorized users.
D . Leverage external objects and data classification policies.
B
Universal Containers is budding a web application that will connect with the Salesforce API using JWT OAuth
Flow.
Which two settings need to be configured in the connect app to support this requirement?
Choose 2 answers
A . The Use Digital Signature option in the connected app.
B . The ‘web’ OAuth scope in the connected app,
C . The ‘api’ OAuth scope in the connected app.
D . The ‘edair_api’ OAuth scope m the connected app
Answer: A, C
A large consumer company is planning to create a community and will requ.re login through the customers social identity. The following requirements must be met:
1. The customer should be able to login with any of their social identities, however salesforce should only have
one user per customer.
2. Once the customer has been identified with a social identity, they should not be required to authonze
Salesforce.
3. The customers personal details from the social sign on need to be captured when the customer logs into
Salesforce using their social Identity.
3. If the customer modifies their personal details in the social site, the changes should be updated in
Salesforce.
Which two options allow the Identity Architect to fulfill the requirements?
Choose 2 answers
A . Use Login Flows to call an authentication registration handler to provision the user before logging the user
into the community.
B . Use authentication providers for social sign-on and use the custom registration handler to insert or update
personal details.
C . Redirect the user to a custom page that allows the user to select an existing social identity for login.
D . Use the custom registration handler to link social identities to Salesforce identities.
Answer: B, D
Universal Containers wants to allow its customers to log in to its Experience Cloud via a third party authentication provider that supports only the OAuth protocol.
What should an identity architect do to fulfill this requirement?
A . Contact Salesforce Support and enable delegate single sign-on.
B . Create a custom external authentication provider.
C . Use certificate-based authentication.
D . Configure OpenID Connect authentication provider.
Answer: B
Universal Containers wants to allow its customers to log in to its Experience Cloud via a third party authentication provider that supports only the OAuth protocol.
What should an identity architect do to fulfill this requirement?
A . Contact Salesforce Support and enable delegate single sign-on.
B . Create a custom external authentication provider.
C . Use certificate-based authentication.
D . Configure OpenID Connect authentication provider.
Answer: B
Universal Containers is implementing a new Experience Cloud site and the identity architect wants to use dynamic branding features as of the login process.
Which two options should the identity architect recommend to support dynamic branding for the site?
Choose 2 answers
A . To use dynamic branding, the community must be built with the Visuaiforce + Salesforce Tabs template.
B . To use dynamic branding, the community must be built with the Customer Account Portal template.
C . An experience ID (expid) or placeholder parameter must be used in the URL to represent the brand.
D . An external content management system (CMS) must be used for dynamic branding on Experience Cloud
sites.
Answer: B, C
A leading fitness tracker company is getting ready to launch a customer community. The company wants its customers to login to the community and connect their fitness device to their profile. Customers should be able to obtain exercise details and fitness recommendation in the community.
Which should be used to satisfy this requirement?
A . Named Credentials
B . Login Flows
C . OAuth Device Flow
D . Single Sign-On Settings
Answer: C
Northern Trail Outfitters (NTO) is setting up Salesforce to authenticate users with an external identity provider.
The NTO Salesforce Administrator is having trouble getting things setup.
What should an identity architect use to show which part of the login assertion is fading?
A . SAML Metadata file importer
B . Identity Provider Metadata download
C . Connected App Manager
D . Security Assertion Markup Language Validator
Answer: D
Universal Containers (UC) currently uses Salesforce Sales Cloud and an external billing application. Both Salesforce and the billing application are accessed several times a day to manage customers. UC would like to configure single sign-on and leverage Salesforce as the identity provider. Additionally, UC would like the billing
application to be accessible from Salesforce. A redirect is acceptable.
Which two Salesforce tools should an identity architect recommend to satisfy the requirements?
Choose 2 answers
A . salesforce Canvas
B . Identity Connect
C . Connected Apps
D . App Launcher
Answer: A, D
Universal Container’s (UC) is using Salesforce Experience Cloud site for its container wholesale business. The
identity architect wants to an authentication provider for the new site.
Which two options should be utilized in creating an authentication provider?
Choose 2 answers
A . A custom registration handier can be set.
B . A custom error URL can be set.
C . The default login user can be set.
D . The default authentication provider certificate can be set.
Answer: A, B
Northern Trail Outfitters (NTO) leverages Microsoft Active Directory (AD) for management of employee usernames, passwords, permissions, and asset access. NTO also owns a third-party single sign-on (SSO) solution. The third-party party SSO solution is used for all corporate applications, including Salesforce.
NTO has asked an architect to explore Salesforce Identity Connect for automatic provisioning and deprovisiorung of users in Salesforce.
What role does identity Connect play in the outlined requirements?
A . Service Provider
B . Single Sign-On
C . Identity Provider
D . User Management
Answer: D
An identity architect is implementing a mobile-first Consumer Identity Access Management (CIAM) for external users. User authentication is the only requirement. The users email or mobile phone number should be supported as a username.
.
Which two licenses are needed to meet this requirement?
Choose 2 answers.
A . External Identity Licenses
B . Identity Connect Licenses
C . Email Verification Credits
D . SMS verification Credits
Answer: A, D
The executive sponsor for an organization has asked if Salesforce supports the ability to embed a login widget into its service providers in order to create a more seamless user experience.
What should be used and considered before recommending it as a solution on the Salesforce Platform?
A . OpenID Connect Web Server Flow. Determine if the service provider is secure enough to store the client
secret on.
B . Embedded Login. Identify what level of UI customization will be required to make it match the service
providers look and feel.
C . Salesforce REST apis. Ensure that Secure Sockets Layer (SSL) connection for the integration is used.
D . Embedded Login. Consider whether or not it relies on third party cookies which can cause browser
compatibility issues.
Answer: D
A global company has built an external application that uses data from its Salesforce org via an OAuth 2.0 authorization flow. Upon logout, the existing Salesforce OAuth token must be invalidated.
Which action will accomplish this?
A . Use a HTTP POST to request the refresh token for the current user.
B . Use a HTTP POST to the System for Cross-domain Identity Management (SCIM) endpoint, including the
current OAuth token.
C . Use a HTTP POST to make a call to the revoke token endpoint.
D . Enable Single Logout with a secure logout URL.
Answer: C
A global company’s Salesforce Identity Architect is reviewing its Salesforce production org login history and is seeing some intermittent Security Assertion Markup Language (SAML SSO) ‘Replay Detected and Assertion Invalid’ login errors.
Which two issues would cause these errors?
Choose 2 answers
A . The subject element is missing from the assertion sent to salesforce.
B . The certificate loaded into SSO configuration does not match the certificate used by the IdP.
C . The current time setting of the company’s identity provider (IdP) and Salesforce platform is out of sync by
more than eight minutes.
D . The assertion sent to 5alesforce contains an assertion ID previously used
Answer: A, D
Northern Trail Outfitters (NTO) wants to give customers the ability to submit and manage issues with their purchases. It is important for NTO to give its customers the ability to login with their Amazon credentials.
What should an identity architect recommend to meet these requirements?
A . Configure a predefined authentication provider for Amazon.
B . Create a custom external authentication provider for Amazon.
C . Configure an OpenID Connect Authentication Provider for Amazon.
D . Configure Amazon as a connected app.
Answer: C
A web service is developed that allows secure access to customer order status on the Salesforce Platform, The service connects to Salesforce through a connected app with the web server flow. The following are the required actions for the authorization flow:
- User Authenticates and Authorizes Access
- Request an Access Token
- Salesforce Grants an Access Token
- Request an Authorization Code
- Salesforce Grants Authorization Code
What is the correct sequence for the authorization flow?
A . 1, 4, 5, 2, 3
B . 4, 1, 5, 2, 3
C . 2, 1, 3, 4, 5
D . 4,5,2, 3, 1
Answer: D
